2014 Sector-Specific Plan Guidance. Guide for Developing a Sector-Specific Plan under NIPP 2013 August 2014

Transcription

1 2014 -Specific Plan Guidance Guide for Developing a -Specific Plan under NIPP 2013 August 2014

2 How to Use this Guidance This page provides a roadmap to assist critical infrastructure partners in navigating and using the Specific Plan (SSP) Guidance. This guidance document is intended as a comprehensive resource of information for partners to use in their sector planning and SSP development efforts. Section 2 represents the core of this guidance document. -Specific Agencies (SSAs) and sector councils should focus on the annotated outline in section 2 to ensure that their SSPs address the required elements described in Call to Action #2 in NIPP The other sections of this document provide additional guidelines that partners may find useful for SSP development and/or sector planning purposes. The following provides a brief description of each section of this Guidance and how to use it. Section 1 provides an Overview of the guidance and how it was developed. Section 2 contains an Annotated Outline for the 2014 SSPs. The sectors are encouraged to follow similar outlines in their SSPs to ensure coverage of the elements identified in NIPP 2013 and support uniformity across the plans. Section 2 also provides a Table Template that sectors should use in their SSPs to show how sector priorities align with national goals and priorities. Section 3 presents additional Considerations for the Planning Process that the sectors may wish to use as part of their overall sector planning efforts. Each sector will decide whether any or all of these considerations are included in their SSP based on the unique risk and operating landscape of the sector. The Appendix contains various Reference Materials to inform SSP development, including: o Key definitions; o Sample language on the purpose of the SSPs; and o National-level goals, priorities, and activities; with tables and graphics showing how they map to each other and the sector-level goals, priorities, and activities Specific Plan Guidance ii

3 Table of Contents 1. Overview Annotated Outline for the Specific Plans Considerations for the Planning Process... 9 Supporting the NIPP Call to Action... 9 Mitigating Current and Long-Term Trends... 9 Sharing and Protecting Information... 9 Assessing Critical Risk Measuring Effectiveness (CtA 11) Learning and Adapting (CtA 9, 12; JNP) Appendix: Reference Materials Lexicon of Common Terms NIPP Goals Joint National Priorities [DRAFT] NIPP Call to Action NIST Cybersecurity Framework Performance Goals Alignment of NIPP 2013 Goals with Call to Action, Joint National Priorities, and Cybersecurity Framework Explanation of SSP Planning Elements Proposed Language for SSP Introduction Specific Plan Guidance iii

4 1. Overview The Specific Plans (SSPs) are intended to tailor the strategic guidance provided in the updated National Protection Plan, NIPP 2013: Partnering for Critical Security and Resilience (hereafter NIPP 2013), to the unique risk and operating environment of each critical infrastructure sector. The SSPs serve as planning tools for the -Specific Agencies (SSAs), critical infrastructure owners and operators, and their sector partners at the regional, State, local, tribal, and territorial levels, to guide and integrate sector efforts to secure and strengthen the resilience of critical infrastructure. An SSP should identify the sector s security and resilience priorities and describe its approach to managing critical infrastructure risk. It should build upon previous sector efforts, such as the 2010 SSPs, and other strategic plans and roadmaps. It is not intended as a replacement for company-specific planning documents or risk management processes. The SSP serves as an outreach tool for sector partners, and should be as clear and concise as possible. DHS is providing this guidance to assist SSAs and Government and Coordinating Councils in their sector planning and SSP development efforts. The guidance was developed collaboratively by an SSP working group, which worked as part of the overall NIPP Implementation Working Group, composed of representatives of SSAs and cross-sector councils. The working group sought to provide flexibility to each sector to develop a plan that reflects their needs, while also providing a common structure that is comparable across all SSPs. This approach resulted in the development of an Annotated Outline, which provides a basic structure for the key topics that SSPs should cover, and Considerations for the Planning Process, which identify additional topics and issues that each sector may wish to address, as appropriate to their situation. The Annotated Outline provides general guidance for each chapter of the SSP. The breakdown within each section (a, b, c, etc.) provides a suggested structure and may be modified to suit each sector s needs. In addition, the length of the SSP will be determined by each sector. Some sectors may prefer a shorter business plan approach that focuses on the sector s priorities and builds on previous sector planning efforts. Other sectors may choose to have a longer plan that provides more complete descriptions of sector assets, risks, and risk management processes to provide a better context for their priorities. However, each SSP must address the requirements of Call to Action #2 in NIPP 2013, including how the sector will contribute to advancing the Joint National Priorities and achieving the NIPP goals. For consistency, the SSPs should follow the same terminology used in NIPP 2013, which focuses on priorities instead of objectives. Priorities are used to identify the most important actions that the sector will pursue with limited resources. However, it is recognized that objectives are widely used in business and some sectors may choose to include them in the SSP, in addition to the priorities. This guidance document also contains reference materials from NIPP 2013 and other sources that will help inform sector planning and SSP development. These include a lexicon of common terms; the NIPP Goals and Call to Action; the Joint National Priorities; the Cybersecurity Framework Performance Goals required by Executive Order 13636; and tables showing how all of these elements relate to one another Specific Plan Guidance 1

5 2. Annotated Outline for the Specific Plans The outline below offers guidance on the content of each chapter. Where appropriate, the relevant NIPP Call to Action that corresponds to that section is noted by (CtA). 1. Executive Summary The Executive Summary should highlight the key elements of the SSP, focusing on the sector s priorities and risk management approach, and describe how progress will be measured. It need not summarize every section of the SSP. 2. Introduction The Introduction should briefly explain the purpose of the SSP and its relationship to NIPP 2013, PPD-21, E.O , and other strategic drivers relevant to the sector. It may also include a brief summary of key changes from the 2010 SSP or how the sector has evolved. Sample language for this section is provided in the Reference Materials. 3. Overview The Overview should provide an updated description of the sector. The chapter should include: a. Profile An overview of the composition of the sector and any subsectors to include characteristics of sector critical infrastructure, relevant operating factors, and a general overview of owners and operators within the sector. b. Risks High-level overview of the current and emerging all-hazard physical and cyber risk landscape that the sector faces, and the key trends that are shaping the sector s approach to managing risk. Note: Do not include classified or sensitive information about risk unless the sector plans to issue a classified or FOUO annex. c. Critical Partners Description of the partnership structures and coordinating mechanisms in place to execute risk management strategies, share information, and collaborate across the sector. Identify activities that the sector pursues to leverage partnership efforts (CtA #1-4). Description of the relevant roles and responsibilities of sector partners. 4. Vision, Mission, Goals, and Priorities This chapter should articulate the sector s vision, mission, goals, and priorities developed collaboratively with sector partners, based on the five NIPP goals and the National Priorities developed jointly across the partnership (the Joint National Priorities). It should explain how the national goals and priorities relate to the sector, and how the sector priorities will accomplish or advance them Specific Plan Guidance 2

6 The chapter should include: a. Vision b. Mission c. Goals d. Priorities Describe the most important focus areas the sector will pursue over the next four years that contribute to achieving the NIPP goals and advancing the Call to Action and Joint National Priorities. These are the sector priorities, which should help guide sector security and resilience efforts, inform partner decisions, reflect actionable activities that partners will pursue to enhance security and resilience, and improve risk management practices, taking into consideration the unique risk management perspectives and resources of the sector. Include tables that crosswalk the sector priorities to the Joint National Priorities and NIPP Goals and Call to Action (see Crosswalk Tables at the end of the Annotated Outline). 5. Achieving Goals This chapter should provide a concise description of how the sector plans to make progress toward its identified sector goals and contribute to achieving the NIPP goals. This description should map to the appropriate national and sector priorities, as well as the relevant Call to Action activities. a. Risk Management Description of the processes and approaches used by sector partners to manage physical and cyber risks. Identify any innovative strategies the sector employs to manage risks, including information-sharing strategies and mechanisms (CtA #4-10). Description of sector reliance on the lifeline functions 1 and strategies to mitigate consequences from the loss of those functions, including potential cascading effects (CtA #2, 6, 7). The sector s current and planned cybersecurity efforts, including use of the Cybersecurity Framework and the sector s approach for: 1. Promoting and facilitating its use (CtA #4,5,6) 2. Implementing initiatives for cybersecurity information sharing (CtA #5,6) What are the sector s research and development (R&D) priorities and how are associated R&D requirements collected from sector partners? (CtA #10) b. Critical and National Preparedness approaches for integrating critical infrastructure security and resilience activities with national preparedness efforts under PPD-8 (prevention, protection, mitigation, response, 1 NIPP 2013 identifies certain lifeline functions that are essential to the operation of most critical infrastructure sectors. These lifeline functions include communications, energy, transportation, and water Specific Plan Guidance 3

7 and recovery activities); in particular, sector plans and processes for transitioning from steady state to response and recovery operations 2 (CtA #2,7,8). 6. Measuring Effectiveness (CtA #11) This chapter should describe current and planned security and resilience activities in the sector, and explain the ways in which partners measure the effectiveness of those activities and how they contribute to achieving national and sector goals. a. Activities Description of the activities the sector will pursue to advance critical infrastructure security and resilience, and how those activities align to the NIPP, sector, and NIST Cybersecurity Framework performance goals. b. Measurement Approach Explanation of how sector partners will measure the effectiveness of the identified activities, and how the activities contribute to the achievement of the NIPP, sector, and NIST Cybersecurity Framework performance goals. 7. Appendices (as appropriate) Appendices may be used by each sector as necessary or appropriate. In past SSPs, appendices have been used to provide more thorough explanations of specific topics (sector description, partners, interdependencies, current sector programs, etc.). This approach can help shorten the length of the main body of the SSP and improve readability. Crosswalk Tables The following table templates can be used to show how each sector s priorities align with the NIPP goals and Call to Action and the Joint National Priorities. All sectors are encouraged to use these tables in their SSP. 2 For more information, see the National Preparedness Goal (2011), the National Response Framework and its Critical Support Annex (2013), and the National Disaster Recovery Framework (2011) at Specific Plan Guidance 4

8 Contribution of Priorities to Joint National Priorities and NIPP Goals Joint National Priorities (DRAFT) NIPP Goals Strengthen the Management of Cyber and Physical Risks to Critical Build Capabilities and Coordination for Enhanced Incident Response and Recovery Strengthen Collaboration Across s, Jurisdictions, & Disciplines Enhance Effectiveness in Resilience Decisionmaking Share Information to Improve Prevention, Protection, Mitigation, Response, and Recovery Activities Assess and analyze risks to critical infrastructure (T, V, C) to inform risk management activities. Title of Priority 1 Secure critical infrastructure against physical, cyber, and human threats through sustainable risk reduction efforts, while considering costs and benefits. Title of Priority 2 Enhance critical infrastructure resilience by minimizing consequences and employing effective response and recovery. Share information across the critical infrastructure community to build awareness and enable riskinformed decisionmaking. Promote learning and adaptation during and after incidents and exercises Specific Plan Guidance 5

9 Instructions 1. Place the title of each sector priority in the appropriate cell in the table above so that it aligns with the appropriate NIPP goals and Joint National Priorities. 2. Note that a sector priority may contribute to more than one NIPP goal and/or more than one Joint National Priority. If this is the case, place the name of the sector priority in each appropriate cell Specific Plan Guidance 6

10 Contribution of Priorities to NIPP Call to Action Priorities Call to Action Activities Priority 1 Priority 2 Priority 3 Priority 4 Priority 5 Priority 6 Priority 7 Priority 8 1. Set national focus through jointly developed priorities. 2. Determine collective actions through joint planning efforts. 3. Empower local and regional partnerships to build capacity nationally. 4. Leverage incentives to advance security and resilience. 5. Enable risk-informed decisionmaking through enhanced situational awareness. 6. Analyze infrastructure dependencies, interdependencies, and associated cascading effects. 7. Identify, assess, and respond to unanticipated infrastructure cascading effects during and following incidents. 8. Promote infrastructure, community, and regional recovery following incidents Specific Plan Guidance 7

11 Priorities Call to Action Activities Priority 1 Priority 2 Priority 3 Priority 4 Priority 5 Priority 6 Priority 7 Priority 8 9. Strengthen coordinated development and delivery of technical assistance, training, and education. 10. Improve critical infrastructure security and resilience by advancing R&D solutions. 11. Evaluate progress toward the achievement of goals. 12. Learn and adapt during and after exercises and incidents. Instructions 1. Place the name of each sector priority in a column heading, as appropriate (number will vary by sector; adjust number of columns as appropriate). 2. Place a check mark in each cell in which a sector priority aligns and contributes to a Call to Action activity. 3. Note that a sector priority may contribute to more than one Call to Action, and a Call to Action may be aligned with more than one sector priority Specific Plan Guidance 8

12 3. Considerations for the Planning Process This section presents additional topics and issues that sectors may consider as part of the overall sector planning process. It is not intended to be an exhaustive list or to increase the length or coverage of any SSP beyond its intended use. These items may or may not be addressed in the SSPs, at the discretion of each sector. References to relevant Call to Action activities that correspond to each consideration are noted by (CtA); considerations that reflect Joint National Priorities are noted as (JNP). As part of implementing Presidential Policy Directive 21 (PPD-21), the joint Evaluation & Planning Workgroup was charged with collaboratively developing an update to the existing NIPP. During the development process, the working group endeavored to keep the updated plan at a higher, more strategic level, and deferred more detailed or tactical information to the 2014 SSPs. s are encouraged to keep this in mind as they develop the SSPs and provide more in-depth information on topics as they relate to the sector. This approach will assist the critical infrastructure community in satisfying the requirements of PPD-21 through both the NIPP and SSPs. Supporting the NIPP Call to Action How is the sector addressing the applicable Call to Action activities? (See the Appendix for a full listing of the NIPP Call to Action.) Mitigating Current and Long-Term Trends What activities has the sector undertaken (or will undertake in the future) to mitigate ongoing natural and human-caused risks to physical and cyber infrastructure? How is the sector mitigating the following trends 3, as applicable? o Climate change o Aging infrastructure and infrastructure failures o Positioning, navigation, and timing service dependencies o Internet of things o Other trends Sharing and Protecting Information What are the sector s information-sharing requirements? Is sector information organized in any common taxonomy? What sector information-sharing structures, activities, and processes are used to enhance situational awareness and inform risk management decisions? (CtA 5, JNP) Do sectors have Information Sharing and Analysis Centers (ISACs) or other information-sharing and analysis organizations? If so, what processes are used to exchange information with these entities? How do sector processes support sharing information on cyber and physical risks with public and private sector partners in steady state and during incident response? Does the sector have defined information flows? 3 Critical Strategic Environment, Draft White Paper; U.S. Department of Homeland Security, Office of Protection, April 25, Specific Plan Guidance 9

13 How do sector information-sharing processes aim to build stronger best practices, a clearer understanding of sector dependencies and interdependencies, and a trusted environment that facilitates multidirectional information exchange? How does the sector safeguard critical infrastructure information and protect privacy and civil liberties? Assessing Critical Risk How does the sector assess sector-wide risk? If a sector-wide risk assessment has not been done, what are the plans for conducting/supporting one in the future? How does the sector use risk assessment results to inform the prioritization of sector risk management activities and/or influence resource/budget decisions? How do sector risk assessments align with and support the Strategic National Risk Assessment and the Threat and Hazard Identification and Risk Assessment (THIRA) process? Measuring Effectiveness (CtA 11) How do SSAs evaluate the effectiveness of security and resilience activities at different levels within their sector (i.e., national, State, local, and regional)? Do they employ quantitative measures of progress, qualitative descriptions of sector accomplishments, or both? What is the SSA s process for capturing sector activities and outcomes to support annual reporting on national security and resilience progress? Note: This may include the information collected by the SSA and a description of data collection limitations in the sector. Does the sector collaborate (or plan to collaborate) with other sectors to better understand crosssector dependencies, interdependencies, and/or gaps? Do existing sector metrics assess the availability, reliability, resilience, and integrity of essential services? If not, does the sector plan to develop such metrics? Learning and Adapting (CtA 9, 12; JNP) How does the sector involve partners in the design, development, and/or execution of exercises incorporating critical infrastructure considerations? What are the sector s procedures for after-action reporting (from incidents and exercises), tracking and implementing associated corrective actions, and incorporating lessons learned and best practices into training and technical assistance programs, and future planning and decisionmaking? Specific Plan Guidance 10

14 Appendix: Reference Materials The following set of reference materials provides context and background to inform sector planning and SSP development. This section includes the following: Lexicon of Common Terms NIPP Goals Joint National Priorities [DRAFT} NIPP Call to Action NIST Cybersecurity Framework Performance Goals Alignment of NIPP Goals with Call to Action, Joint National Priorities, and the Cybersecurity Framework Explanation of SSP Planning Elements Proposed Language for SSP Introduction Lexicon of Common Terms Please refer to the NIPP 2013 Glossary for the most up-to-date definitions of terms related to the critical infrastructure security and resilience mission. Some of the definitions remain unchanged from the 2009 NIPP, but others were added or updated to reflect the evolution from 2009 to The source of each definition is provided in parentheses following the definition. A few key definitions from the NIPP 2013 Glossary are listed below for convenience: All Hazards. The term all hazards means a threat or an incident, natural or manmade, that warrants action to protect life, property, the environment, and public health or safety, and to minimize disruptions of government, social, or economic activities. It includes natural disasters, cyber incidents, industrial accidents, pandemics, acts of terrorism, sabotage, and destructive criminal activity targeting critical infrastructure. (PPD-21, 2013) Critical Community. Critical infrastructure owners and operators, both public and private; Federal departments and agencies; regional entities; State, local, tribal, and territorial (SLTT) governments; and other organizations from the private and nonprofit sectors with a role in securing and strengthening the resilience of the Nation s critical infrastructure, and/or promoting practices and ideas for doing so. (NIPP 2013: Partnering for Critical Security and Resilience) Critical Partners. Those Federal and SLTT governmental entities; public and private sector owners and operators and representative organizations, regional organizations and coalitions, academic and professional entities, and certain not-for-profit and private volunteer organizations that share responsibility Specific Plan Guidance 11

15 for securing and strengthening the resilience of the Nation s critical infrastructure. (Adapted from the 2009 NIPP) National Preparedness. The actions taken to plan, organize, equip, train, and exercise to build and sustain the capabilities necessary to prevent, protect against, mitigate the effects of, respond to, and recover from those threats that pose the greatest risk to the security of the Nation. (PPD-8, 2011) Regional. Entities and interests spanning geographic areas ranging from large multi-state areas to metropolitan areas and varying by organizational structure and key initiatives, yet fostering engagement and collaboration between critical infrastructure owners and operators, government, and other key stakeholders within the given location. (Regional Partnerships: Enabling Regional Critical Resilience, RC3, March 2011) Risk. The potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences. (DHS Lexicon, 2010) Stakeholder. The NIPP does not define the word stakeholder, but to understand the distinction between partners and stakeholders, it is useful to refer to the definitions of Critical Partners and Critical Community above. Partners share responsibility for strengthening critical infrastructure security and resilience, while stakeholders may play a role in strengthening critical infrastructure security and resilience, and/or promoting practices and ideas for doing so. In addition, stakeholders may simply have an interest in critical infrastructure security and resilience, based on their involvement in related disciplines or activities. For example, Congress, the White House, and the Government Accountability Office are all critical infrastructure stakeholders. NIPP Goals NIPP 2013 presents the following goals: 1. Assess and analyze threats to, vulnerabilities of, and consequences to critical infrastructure to inform risk management activities. 2. Secure critical infrastructure against human, physical, and cyber threats through sustainable efforts to reduce risk, while accounting for the costs and benefits of security investments. 3. Enhance critical infrastructure resilience by minimizing the adverse consequences of incidents through advance planning and mitigation efforts, and employing effective responses to save lives and ensure the rapid recovery of essential services. 4. Share actionable and relevant information across the critical infrastructure community to build awareness and enable risk-informed decisionmaking. 5. Promote learning and adaptation during and after exercises and incidents. These five goals are mapped below to the Call to Action, Joint National Priorities, and the NIST Cybersecurity Framework Performance Goals. Joint National Priorities [DRAFT] The critical infrastructure community developed and approved the following draft Joint National Priorities: Specific Plan Guidance 12

16 Strengthen the management of cyber and physical risks to critical infrastructure Build capabilities and coordination for enhanced incident response and recovery Strengthen collaboration across sectors, jurisdictions, and disciplines Enhance effectiveness in resilience decisionmaking Share information to improve prevention, protection, mitigation, response, and recovery activities NIPP Call to Action 1. Set National Focus through Jointly Developed Priorities Jointly establish a set of national critical infrastructure security and resilience priorities to support Federal resource allocation, as well as planning and evaluation, at all levels in the national partnership. Review and validate the national priorities on an annual basis, and update them on a regular cycle timed to inform Federal budget development and SLTT grant programs. 2. Determine Collective Actions through Joint Planning Efforts All sectors will update their -Specific Plans (SSPs) to support NIPP 2013, and every four years thereafter, based on guidance developed by DHS in collaboration with the SSAs and cross-sector councils. The SSPs will: o o o o o Reflect joint priorities. Address sector reliance on lifeline functions and include strategies to mitigate consequences from the loss of those functions, including potential cascading effects. Describe approaches to integrating critical infrastructure and national preparedness efforts; in particular, transitioning from steady state to incident response and recovery via the National Response Framework s Emergency Support Functions (ESFs) and the National Disaster Recovery Framework s Recovery Support Functions (RSFs). Describe current and planned cybersecurity efforts, including, but not limited to, use of the Cybersecurity Framework, cybersecurity information-sharing initiatives, programmatic activities, risk assessments, exercises, incident response and recovery efforts, and metrics. Guide development of appropriate metrics and targets to measure progress toward the national goals and priorities, as well as other sector-specific priorities. As appropriate, SLTT and regional entities can develop supporting plans to NIPP 2013 and the updated SSPs, whether cross-sector or by individual sector, that articulate shared priorities and activities at those levels. The State, Local, Tribal, and Territorial Government Coordinating Council (SLTTGCC) will collaborate with partners to provide guidance for such plans. The Federal government will work with the critical infrastructure community to provide updated guidance on cyber incident response. 3. Empower Local and Regional Partnerships to Build Capacity Nationally Identify existing local and regional partnerships addressing critical infrastructure security and resilience, their focus and alignment with national partnership structures, and how to engage with Specific Plan Guidance 13

17 them. Leverage State and major urban area fusion centers to engage with local and regional partners. Expand a national network of critical infrastructure and SLTT partnerships and coalitions to complement and enhance the national-level focus on sectors, while remaining cognizant of varying legal structures in different jurisdictions and organizations. Employ the THIRA process as a method to integrate human, physical, and cyber elements of critical infrastructure risk management. Using the existing process will facilitate better coordination of planning, resource allocation, and evaluation of progress by State and local governments, as well as local infrastructure owners and operators. Develop and advance a joint set of regional preparedness projects demonstrating the integrated application of critical infrastructure risk management and planning. This will involve Federal agencies responsible for implementing PPD-8 and PPD-21 working collaboratively with states, metropolitan areas, rural communities, and regional coalitions. 4. Leverage Incentives to Advance Security and Resilience Continue to identify, analyze, and where appropriate, implement incentives. Support research and data gathering to quantify the potential costs imposed by a lack of critical infrastructure security and resilience, and inadequate cyber preparedness. Establish innovation challenge programs to incentivize new solutions to strengthen infrastructure security and resilience during infrastructure planning, design, and redesign phases, including technological, engineering, and process improvements. 5. Enable Risk-Informed Decisionmaking through Enhanced Situational Awareness Undertake a partnership-wide review of impediments to information sharing to support efforts to address those challenges and develop best practices. Analyze legal considerations, the classification or sensitive nature of certain information, laws and policies that govern information dissemination, and the need to build trust among partners. Build upon the functional relationship descriptions developed as part of PPD-21 by further analyzing functional relationships within and across the Federal government (focused on critical infrastructure security and resilience) to identify overlaps, inefficiencies, and gaps and recommend changes to enhance situational awareness and risk-informed decisionmaking. Develop streamlined, standardized processes to promote integration and coordination of information sharing via jointly developed doctrine and supporting SOPs. Develop interoperability standards to enable more efficient information exchange through defined data standards and requirements, to include (1) a foundation for an information-sharing environment that has common data requirements and information flow and exchange across entities; and (2) sector-specific critical information requirements (i.e., critical reporting criteria), to allow for improved information flow and reporting to produce more complete and timely situational awareness for security and resilience Specific Plan Guidance 14

18 6. Analyze Dependencies, Interdependencies, and Associated Cascading Effects Mature the capability to identify and understand cross-sector physical and cyber dependencies and interdependencies over different time frames at international, national, regional, and local levels. Focus on the lifeline functions and resilience of global supply chains during potentially highconsequence incidents, given their importance to public health, welfare, and economic activity. Continue to evolve the Cyber-Dependent Identification approach under Executive Order to consider the potential risks resulting from dependency on information and communications technology, and inform preparedness planning and capability development. 7. Identify, Assess, and Respond to Unanticipated Cascading Effects During and Following Incidents Enhance the capability to rapidly identify and assess cascading effects involving the lifeline functions, and contribute to identifying infrastructure priorities both known and emerging during response and recovery efforts. Enhance the capacity of critical infrastructure partners to work through incident management structures such as the ESFs to mitigate the consequences of disruptions to the lifeline functions. 8. Promote, Community, and Regional Recovery Following Incidents Leverage Federal field staff (including Protective Security Advisors) and encourage states and localities to promote consideration of critical infrastructure challenges in pre-incident recovery planning, post-incident damage assessments, and development of recovery strategies. Support examination of initiatives to enhance, repair, or replace infrastructure providing lifeline functions during recovery. 9. Strengthen Coordinated Development and Delivery of Technical Assistance, Training, and Education Capture, report, and prioritize the technical assistance, training, and education needs of the various partners within the critical infrastructure community. Examine current Federal technical assistance, training, and education programs to ensure that they support the national priorities and the risk management activities described in NIPP 2013 to advance progress toward the national goals. Increase coordination of technical assistance efforts particularly within DHS and among the SSAs and leverage a wider network of partners to deliver training and education programs to better serve recipients and reach a wider audience while conserving resources. Partner with academia to establish and update critical infrastructure curricula that help to train critical infrastructure professionals, including executives and managers, to manage the benefits and inherent vulnerabilities introduced by information and communications technologies in critical infrastructure assets, systems, and networks Specific Plan Guidance 15

19 10. Improve Critical Security and Resilience by Advancing Research and Development Solutions Promoting R&D to enable the secure and resilient design and construction of critical infrastructure and more secure accompanying cyber technology; Enhancing modeling capabilities to determine the potential impacts of an incident or threat scenario on critical infrastructure, as well as cascading effects on other sectors; Facilitating initiatives to incentivize cybersecurity investments and the adoption of critical infrastructure design features that strengthen all-hazards security and resilience; and Prioritizing efforts to support the strategic guidance issued by DHS. 11. Evaluate Progress toward the Achievement of Goals Jointly identify high-level outputs or outcomes associated with the national goals and priorities to facilitate evaluation of progress toward the goals and priorities. Develop the Critical National Annual Report and National Preparedness Report annually through standardized data calls to SSAs and sector partners to build a national picture of progress toward the NIPP vision and goals and the National Preparedness Goal. Incorporate performance data from industry, SLTT, and regional entities to reflect progress throughout the critical infrastructure community at all levels. 12. Learn and Adapt During and After Exercises and Incidents Develop and conduct exercises through participatory processes to suit diverse needs and purposes. o o Promote broad participation and coordination among government and interested private sector partners including the R&D community in exercise design, conduct, and evaluation to reflect the perspectives of all partners and maximize the value for future planning and operations. Develop exercises at multiple levels and in various formats to suit national, regional, and SLTT needs. Design exercises to reflect lessons learned and test corrective actions from previous exercises and incidents, address both physical and cyber threats and vulnerabilities, and evaluate the transition from steady state to incident response and recovery efforts. Share lessons learned and corrective actions from exercises and incidents, and rapidly incorporate them into technical assistance, training, and education programs to improve future security and resilience efforts Specific Plan Guidance 16

20 NIST Cybersecurity Framework Performance Goals The NIST Cybersecurity Framework identifies the following performance goals: 1. Critical systems and functions are identified and prioritized, and cyber risk is understood as part of a risk management plan. 2. Risk-informed actions are taken to protect critical systems and functions. 3. Resources are coordinated and applied to triage and respond to cyber events and incidents in order to minimize impacts to critical systems and functions. 4. Following a cyber incident, impacted critical systems and functions are reconstituted based on prior planning and informed by situational awareness. 5. Adverse cyber activities are detected and situational awareness of threats is maintained. 6. Security and resilience are continually improved based on lessons learned, consistent with risk management planning Specific Plan Guidance 17

21 Alignment of NIPP Goals with Call to Action, Joint National Priorities, and Cybersecurity Framework NIPP Goals Assess & Analyze Risks to Critical to Inform Risk Mgmt. Activities Secure Critical Against Threats While Considering Costs and Benefits Enhance Critical Resilience by Minimizing Consequences & Employing Effective Response & Recovery Share Information to Enable Risk- Informed Decisions Promote Learning & Adaptation During/After Incidents & Exercises Call to Action Activities 1. Set national focus through jointly developed priorities. 2. Determine collective actions through joint planning efforts. 3. Empower local and regional partnerships to build capacity nationally. 4. Leverage incentives to advance security & resilience. 5. Enable risk-informed decisionmaking through enhanced situational awareness Specific Plan Guidance 18

22 Alignment of NIPP Goals with Call to Action, Joint National Priorities, and Cybersecurity Framework NIPP Goals Assess & Analyze Risks to Critical to Inform Risk Mgmt. Activities Secure Critical Against Threats While Considering Costs and Benefits Enhance Critical Resilience by Minimizing Consequences & Employing Effective Response & Recovery Share Information to Enable Risk- Informed Decisions Promote Learning & Adaptation During/After Incidents & Exercises 6. Analyze infrastructure dependencies, interdependencies, and associated cascading effects. 7. Identify, assess, and respond to unanticipated infrastructure cascading effects during and following incidents. 8. Promote infrastructure, community, and regional recovery following incidents. 9. Strengthen coordinated development and delivery of technical assistance, training, and education Specific Plan Guidance 19

23 Alignment of NIPP Goals with Call to Action, Joint National Priorities, and Cybersecurity Framework NIPP Goals Assess & Analyze Risks to Critical to Inform Risk Mgmt. Activities Secure Critical Against Threats While Considering Costs and Benefits Enhance Critical Resilience by Minimizing Consequences & Employing Effective Response & Recovery Share Information to Enable Risk- Informed Decisions Promote Learning & Adaptation During/After Incidents & Exercises 10. Improve critical infrastructure security and resilience by advancing R&D solutions. 11. Evaluate progress toward the achievement of goals. 12. Learn and adapt during and after exercises and incidents. Draft Joint National Priorities Strengthen the management of cyber and physical risks to critical infrastructure Enhance effectiveness in resilience decisionmaking Specific Plan Guidance 20

24 Alignment of NIPP Goals with Call to Action, Joint National Priorities, and Cybersecurity Framework NIPP Goals Assess & Analyze Risks to Critical to Inform Risk Mgmt. Activities Secure Critical Against Threats While Considering Costs and Benefits Enhance Critical Resilience by Minimizing Consequences & Employing Effective Response & Recovery Share Information to Enable Risk- Informed Decisions Promote Learning & Adaptation During/After Incidents & Exercises Strengthen collaboration across sectors, jurisdictions, and disciplines Build capabilities and coordination for enhanced incident response and recovery Share information to improve prevention, protection, mitigation, response, and recovery activities Cybersecurity Framework Performance Goals Critical systems and functions are identified and prioritized, and cyber risk is understood as part of a risk management plan Specific Plan Guidance 21

25 Alignment of NIPP Goals with Call to Action, Joint National Priorities, and Cybersecurity Framework NIPP Goals Assess & Analyze Risks to Critical to Inform Risk Mgmt. Activities Secure Critical Against Threats While Considering Costs and Benefits Enhance Critical Resilience by Minimizing Consequences & Employing Effective Response & Recovery Share Information to Enable Risk- Informed Decisions Promote Learning & Adaptation During/After Incidents & Exercises Risk-informed actions are taken to protect critical systems and functions. Resources are coordinated and applied to triage and respond to cyber events and incidents in order to minimize impacts to critical systems and functions. Following a cyber incident, impacted critical systems and functions are reconstituted based on prior planning, and informed by situational awareness. Adverse cyber activities are detected and situational awareness of threats is maintained Specific Plan Guidance 22

26 Alignment of NIPP Goals with Call to Action, Joint National Priorities, and Cybersecurity Framework NIPP Goals Assess & Analyze Risks to Critical to Inform Risk Mgmt. Activities Secure Critical Against Threats While Considering Costs and Benefits Enhance Critical Resilience by Minimizing Consequences & Employing Effective Response & Recovery Share Information to Enable Risk- Informed Decisions Promote Learning & Adaptation During/After Incidents & Exercises Security and resilience are continually improved based on lessons learned, consistent with risk management planning Specific Plan Guidance 23

27 Explanation of SSP Planning Elements The table below provides an explanation of key planning elements used in the SSP. SSP Planning Elements NIPP Goals Goals Joint National Priorities Priorities Activities Explanation The five national goals included on page 5 of NIPP 2013 (provided in this appendix). The sector s statement of goals that align with the NIPP goals. High-level priorities based on a collaborative process that is defined in Call to Action #1 on pages of NIPP 2013 (provided in this appendix). The most important broad focus areas that the sector will pursue over the next four years to advance the national goals. These are at a higher level than an activity. It is anticipated that all priorities will align and support one or more JNPs and Call to Action activities. However, not all JNPs/CtAs will be addressed. The identifiable actions that the sector will take to achieve both the NIPP and sector goals. These may be multi-year (ongoing) activities, or activities with more discrete periods and defined end points. Many, but not all, of the activities will align and support the JNPs and the Call to Action. Relationship of the Goals and Priorities to National-Level Goals Each sector will develop sector goals, priorities, and activities that align with the NIPP Goals and Call to Action, and the Joint National Priorities. The figure below demonstrates how those sector goals and priorities relate to national-level guidance Specific Plan Guidance 24

28 Proposed Language for SSP Introduction The following sample text is provided to sectors to describe the purpose of the SSP. It can be tailored to meet each sector s needs. However, using similar language on the purpose of the SSPs will help maintain consistency across the plans. The purpose of the -Specific Plan (SSP) is to guide and integrate the sector s efforts to secure and strengthen the resilience of critical infrastructure and describe how the contributes to national critical infrastructure security and resilience, as set forth in Presidential Policy Directive 21 (PPD-21). This SSP tailors the strategic guidance provided in NIPP 2013 to the unique operating conditions and risk landscape of the. This SSP represents a collaborative effort among the private sector; State, local, tribal, and territorial governments; non-governmental organizations; and Federal departments and agencies to work toward achieving shared goals and priorities to reduce critical infrastructure risk. It also reflects the maturation of the partnership and the progress made by the sector since the 2010 SSP to address the evolving risk, operating, and policy environments Specific Plan Guidance 25